[nsp] Cat6509 MSFC1 interface stats.

Dmitry Safronov dumone at zenon.net
Wed Dec 18 12:17:53 EST 2002


Hello James,

The most switching is done on PFC card, so the better way is getting
real counters from ethernet interface, to which you have connected
firewall.


Wednesday, December 18, 2002, 5:18:43 AM, you wrote:

JK> I see the counters, but they don't all represent
JK> reality.  In the example given below, the majority of
JK> the traffic should be inbound, but the opposite is
JK> true when looking at VLAN 101's counters:

JK> #sh int vlan101
JK> Vlan101 is up, line protocol is up 
JK>   Hardware is Cat6k RP Virtual Ethernet, address is
JK> 0030.9633.1ca4 (bia 0030.9633.1ca4)
JK>   Internet address is x.x.x.x/29
JK>   MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, 
JK>      reliability 255/255, txload 1/255, rxload 1/255
JK>   Encapsulation ARPA, loopback not set
JK>   ARP type: ARPA, ARP Timeout 04:00:00
JK>   Last input 00:00:00, output never, output hang never
JK>   Last clearing of "show interface" counters never
JK>   Input queue: 0/75/0/6 (size/max/drops/flushes);
JK> Total output drops: 0
JK>   Queueing strategy: fifo
JK>   Output queue :0/40 (size/max)
JK>   5 minute input rate 0 bits/sec, 0 packets/sec
JK>   5 minute output rate 7000 bits/sec, 8 packets/sec
JK>      10713367 packets input, 697925445 bytes, 0 no
JK> buffer
JK>      Received 10178576 broadcasts, 0 runts, 0 giants,
JK> 0 throttles
JK>      0 input errors, 0 CRC, 0 frame, 0 overrun, 0
JK> ignored
JK>      263725465 packets output, 4248369389 bytes, 0
JK> underruns
JK>      0 output errors, 1 interface resets
JK>      0 output buffer failures, 0 output buffers
JK> swapped out

JK> Note how much higher the output counters are, and that
JK> almost all input packets are broadcasts (which makes
JK> even less sense because there shouldn't be any
JK> broadcasts on that segment, unless these are HSRP
JK> packets (the switch has dual MSFCs).

JK> The firewall is indeed using the switch as the next
JK> hop towards the internal network.  

JK> -----BEGIN PGP SIGNED MESSAGE-----
JK> Hash: SHA1

JK> Jim:

JK> sh int vlan101 should give you in/out counters no
JK> matter.. If you are not seeing any information then
JK> there is something wrong w/where you are looking. Is
JK> the fw using that address as a next-hop?

==DMT>>

JK> - ----SIGNAURE-------
JK> Douglas M. Todd, Jr.
JK> Network Engineering
JK> Partners Health Care
JK> Building 149
JK> 149 13 Street
JK> Charlestown, MA 02129-200
JK> Tel: 617.726.1403
JK> Email: dtodd@partners.org
JK> -
JK> --------------------------------------------------------------------
JK> PGP Finger Print: 9429 CAE3 B2D1 C2E1 DFBC  E7A6 E90A
JK> 9BE5 C7B6 47BC Key available via email. Verisign S/N:
JK> 3ff65cdf58b9dceda004baeed49e16cf
JK> https://digitalid.verisign.com/services/client/index.html

>> -----Original Message-----
>> From: cisco-nsp-bounces@puck.nether.net 
>> [mailto:cisco-nsp-bounces@puck.nether.net]On Behalf
JK> Of James Kilton
>> Sent: Monday, December 16, 2002 9:01 PM
>> To: cisco-nsp@puck.nether.net
>> Subject: [nsp] Cat6509 MSFC1 interface stats.
>> 
>> 
>> I'm trying to collect traffic statistics for some
JK> VLAN interfaces on a 
>> C6509.  A lot of the numbers I'm getting seem to be
JK> inaccurate.  For 
>> example, there's one interface (VLAN 101) that only
JK> has a firewall
>> connected to it -- it's the corporate firewall that
>> all employee internet traffic goes though.  When a
JK> do
>> a 'show int vlan 101', there's a good deal of output
>> traffic, but virtually no input traffic. This is
>> counter-intuitive, as most internet traffic should
JK> be
>> inbound.
>> 
>> Is there anything that could cause these counters to
>> be inaccurate, other than a buggy IOS release?  I'm
>> using CEF on the MSFC, not MLS, so I'm at a loss
JK> here.
>> 
>> Thanks.
>> 
>> __________________________________________________
>> Do you Yahoo!?
>> Yahoo! Mail Plus - Powerful. Affordable. Sign up
JK> now. 
>> http://mailplus.yahoo.com 
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
>> http://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at
JK> http://puck.nether.net/pipermail/cisco-nsp/

JK> -----BEGIN PGP SIGNATURE-----
JK> Version: PGP 7.0

JK> iQA/AwUBPf+RBQgiZycqTvq3EQKN3ACfTbcVA9zKbC3EmUweTHy3bHmj5RQAoL4D
JK> jAXkz3sSSNpyNJOC3UM78IG7
JK> =9dmh
JK> -----END PGP SIGNATURE-----

JK> _______________________________________________
JK> cisco-nsp mailing list  cisco-nsp@puck.nether.net
JK> http://puck.nether.net/mailman/listinfo/cisco-nsp
JK> archive at http://puck.nether.net/pipermail/cisco-nsp/

JK> __________________________________________________
JK> Do you Yahoo!?
JK> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
JK> http://mailplus.yahoo.com
JK> _______________________________________________
JK> cisco-nsp mailing list  cisco-nsp@puck.nether.net
JK> http://puck.nether.net/mailman/listinfo/cisco-nsp
JK> archive at http://puck.nether.net/pipermail/cisco-nsp/



-- 
With best regards,
________________________________________
Dmitry Safronov
Zenon N.S.P.
Tel. +7(095) 956-4035, +7(812) 326-4468
Fax. +7(095) 251-5702




More information about the cisco-nsp mailing list